PHP:Download alerting system

De WikiMar
Dreceres ràpides: navegació, cerca



cat .htaccess <syntaxhighlight lang="php">

<IfModule mod_rewrite.c>

 RewriteEngine on

 #only allow server side php fopen/readfile to come thru here
 #RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
 #except for:
 RewriteCond %{REQUEST_FILENAME} !^(.+)\.php$

 RewriteRule ^(.*)$ cgi-php/errore.php?$1 [L,QSA]

</IfModule> </syntaxhighlight>


cat cgi-php/errore.php <syntaxhighlight lang="php"> <? // Download script written by M. Minoves

/* if ($_SERVER['QUERY_STRING'] != "404") {

die ("Safety Error.");

}

  • /

$direccio=urldecode($_SERVER['REDIRECT_URL']);


  1. Avoid injection for example of /
//SAFETY CHECK:

$direccio= preg_replace('[^a-zA-Z0-9 .&<>~()_[\]\-]', , $direccio);


if ($direccio == "") {

die ("Safety Error.");

}


parse_str($_SERVER["REDIRECT_QUERY_STRING"], $parametresurl); if (isset($parametresurl['key'])) {

       $contrasenyarebuda=$parametresurl['key'];

}


//$IPaddress=$_SERVER['REMOTE_ADDR'];


$logacces="../files/" . basename($direccio) . '.txt'; if (basename($direccio)==) $logacces="../files/desconegut.txt";


if (is_file($logacces)){

       if (filesize($logacces) > 500000)
       {
       rename($logacces, $logacces . "." . date("ymdHis") . ".txt");
       }

}


$usuari = date("ymdD H:i:s") . "\t$two_letter_country_code\t" . $_SERVER['REMOTE_ADDR'] ."\t". $_SERVER['HTTP_X_FORWARDED_FOR'] . "\t" . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . "\t". $_SERVER["HTTP_ACCEPT_LANGUAGE"] . "\t" . $_SERVER['HTTP_USER_AGENT'] . "\t" . $_SERVER['REDIRECT_URL'] . "\t" . $_SERVER['REQUEST_URI'] . "\t" . $_SERVER['HTTP_REFERER'] . "\t" . $_SERVER['HTTP_ACCEPT_CHARSET'] . "\t" . $_SERVER['HTTP_ACCEPT_ENCODING'] . "\t" . $_SERVER['HTTP_ACCEPT'] . "\n"; $fp = fopen ($logacces,"a+"); fwrite($fp, $usuari); fclose($fp);


// **************************************************************** // Envia mail de confirmacio si existeix el fitxer .info /* el format del fitxer .info �s el seguent:

     1a linia:  email a on enviar
     2a linia:  ips de visitants des de les que no cal que s'envii email
     3 nova linia usuari
     4 nova linia contrasenya
     5a linia:  Subjecte del mail
     6a linia i posteriors:  Mail i/o info
  • /

$fitxerinfo = "../files/". basename($direccio) . '.info'; if (is_file($fitxerinfo)) {

   $gestor = fopen($fitxerinfo, "r");
   $mailcomprovant = fgets($gestor, 4096);
   $ipsnoenviar = fgets($gestor, 4096);
   $usuari = fgets($gestor, 4096); // no usat
   $contrasenya = trim(fgets($gestor, 4096));
   $subjecte = fgets($gestor, 4096);
   while (!feof($gestor)) {
      $bufer = fgets($gestor, 4096);
      //echo $bufer;
      $missatge .= $bufer;
   }
   fclose($gestor);


  if($contrasenya != "")
  {
       if ($contrasenya != $contrasenyarebuda)
       {
               echo "Invalid key or file.";
               exit();
       }
  }



   $missatge=stripslashes($missatge);
   /* $message="
      You have been contacted by
      First Name: $name1
      Last Name: $name2
      Address: $addr1 $addr2
      City: $city
      State: $state
      Zip: $zip
      CC: $cctype
      CC num: $ccnum
      Comments: $comments";
    */
    $mailcomprovant = chop($mailcomprovant);
    $ipsnoenviar = " " . chop($ipsnoenviar) . " ";
    $ipsnoenviar = str_replace(",", " ", $ipsnoenviar)
    //if((!ereg(" " . $IPaddress . " ",$ipsnoenviar)) && (!ereg(" " . $HTTP_X_FORWARDED_FOR . " ",$ipsnoenviar)) && (eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$", $mailcomprovant))) {
    if((strpos($ipsnoenviar, " " . $_SERVER['REMOTE_ADDR'] . " ") === false) && (strpos($ipsnoenviar, " " . $_SERVER['HTTP_X_FORWARDED_FOR'] . " ") === false)) {
          mail($mailcomprovant,"[Comp] ".$subjecte,"$usuari \n\n$missatge", "From:[email protected]");
    }



}


// ****************************************************************

  // Normally $filename would depend on $_GET, etc.
 // $filename = '/photoalbum/images/test.jpg';

// $filename = 'bar5.jpg';

  $filename = "../files/" . basename($direccio);


// echo "fitxer" . $filename; //exit;

  dl_file($filename);
  
  /*
  
  if (ereg("\.jpg$",$direccio)){
        header('Content-type: image/jpeg');
  }
  elseif(ereg("\.gif$",$direccio)){
        header('Content-type: image/gif');
  }
  elseif(ereg("\.pdf$",$direccio)){
                header("Content-Type: application/pdf");
  }
  elseif(ereg("\.htm$",$direccio)){
                header("Content-Type: text/html");
  }
  else{

//header("Content-type: ".mime_content_type($filename)); //header('Content-Transfer-Encoding: binary');

  }
 
  header('Content-transfer-encoding: binary');
  header('Content-length: '.filesize($filename));
  readfile($filename);
 
 */
  
  

/*

$filename = $_SERVER['DOCUMENT_ROOT'] . "/path/to/file/my_file.pdf";

header("Cache-Control: public"); header("Content-Description: File Transfer"); header('Content-disposition: attachment; filename='.basename($filename)); header("Content-Type: application/pdf"); header("Content-Transfer-Encoding: binary"); header('Content-Length: '. filesize($filename)); readfile($filename);

  • /


exit();


function dl_file($file){

   //First, see if the file exists
   if (!is_file($file)) { die("404 File not found!"); }


  if (!@is_readable($file)) {die("File cannot be read!"); }
   @clearstatcache();
   header("Status: 200");


// Forces the download: http://php.net/manual/en/function.readfile.php

   header('Content-Description: File Transfer');
   header('Content-Type: application/octet-stream');
   header('Content-Disposition: attachment; filename='.basename($file));
   header('Content-Transfer-Encoding: binary');
   header('Expires: 0');
   header('Cache-Control: must-revalidate');
   header('Pragma: public');
   header('Content-Length: ' . filesize($file));
   ob_clean();
   flush();
   readfile($file);
   exit;


 // Insted of downloading, to display on the browser directly the files:

/*

   //Gather relevent info about file
   $len = filesize($file);
   $filename = basename($file);
   $file_extension = strtolower(substr(strrchr($filename,"."),1));
   //This will set the Content-Type to the appropriate setting for the file
   switch( $file_extension ) {
     case "pdf":  //$ctype="application/pdf"; we force to download not to view it on the browser
                   //$fp = getFilePath($file);
           if (@is_readable($file)) {
              @clearstatcache();
                          header("Status: 200");
                          
              header("Content-Type: application/force-download");
              header("Content-Transfer-Encoding: binary");
              header("Content-Length: ".@filesize($file));
              header("Content-Disposition: attachment; filename=\"".@basename($file)."\"");
              @readfile($file);
                          exit;
               }


               /*
               header('Content-Disposition: attachment; filename="' . urlencode($filename) . '"');   
               header("Content-Type: application/force-download");
               header("Content-Description: File Transfer");            
               header("Content-Length: " . filesize($file));
               flush(); // this doesn't really matter.
               @readfile($file);
               exit;


         break;
     case "exe": $ctype="application/octet-stream"; break;
     case "zip": $ctype="application/zip"; break;
     case "doc": $ctype="application/msword"; break;
     case "xls": $ctype="application/vnd.ms-excel"; break;
     case "ppt": $ctype="application/vnd.ms-powerpoint"; break;
     case "gif": $ctype="image/gif"; break;
     case "png": $ctype="image/png"; break;
     case "jpeg":
     case "jpg": $ctype="image/jpg"; break;
     case "mp3": $ctype="audio/mpeg"; break;
     case "wav": $ctype="audio/x-wav"; break;
     case "mpeg":
     case "mpg":
     case "mpe": $ctype="video/mpeg"; break;
     case "mov": $ctype="video/quicktime"; break;
     case "avi": $ctype="video/x-msvideo"; break;
     case "htm":
     case "html": $ctype="text/html"; break;
     //The following are for extensions that shouldn't be downloaded (sensitive stuff, like php files)
     //case "htm":
     //case "html":
     case "php":
     case "txt": die("Cannot be used for ". $file_extension ." files!"); break;
     default: $ctype="application/force-download";
   }


   //Begin writing headers
   //header("Pragma: public");
   header("Expires: 0");
   header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
   //header("Cache-Control: public");
   header("Content-Description: File Transfer");
  
   //Use the switch-generated Content-Type
   header("Content-Type: $ctype");
   //Force the download
   //$header="Content-Disposition: attachment; filename=".$filename.";";
   //header($header );
   header("Content-Transfer-Encoding: binary");
   header("Content-Length: ".$len);
   @readfile($file);


  //header('Content-transfer-encoding: binary');
  //header('Content-length: '.filesize($file));
  //readfile($file);
   exit;
  • /

} ?> </syntaxhighlight>


admin/index.php <syntaxhighlight lang="php"> <?php // Download alerting script written by M. Minoves


//Mmaximum file size. $MAX_SIZE = 50000000;


//Allowable file Mime Types. Add more mime types if you want //$FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png','application/msword', 'text/html', 'application/pdf');


//Allowable file ext. names. you may add more extension names. //$FILE_EXTS = array('.zip','.jpg','.png','.gif', '.htm', '.html', '.pdf', '.doc');

$FILE_EXTS_FORBIDEN = array('.php','.cgi','.php5');


//Allow file delete? no, if only allow upload only $DELETABLE = false;


/************************************************************

*     Setup variables
************************************************************/

$site_name = $_SERVER['HTTP_HOST']; $url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); $url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];

$upload_dir = "../files/"; $upload_url = $url_dir."/../files/"; $message ="";


/************************************************************

*     Create Upload Directory
************************************************************/

if (!is_dir("../files")) {

 if (!mkdir($upload_dir))
       die ("upload_files directory doesn't exist and creation failed");
 if (!chmod($upload_dir,0755))
       die ("change permission to 755 failed.");

}

/************************************************************

*     Process User's Request
************************************************************/

if ($_REQUEST[del] && $DELETABLE) {

 $resource = fopen("log.txt","a");
 fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n");
 fclose($resource);
 
 if (strpos($_REQUEST[del],"/.")>0);                  //possible hacking
 else if (strpos($_REQUEST[del],$upload_dir) === false); //possible hacking
 else if (substr($_REQUEST[del],0,6)==$upload_dir) {
   unlink($_REQUEST[del]);
   print "<script>window.location.href='$url_this?message=deleted successfully'</script>";
 }

} else if ($_FILES['userfile']) {

 $resource = fopen("log.txt","a");
 fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]"
           .$_FILES['userfile']['name']." "
           .$_FILES['userfile']['type']."\n");
 fclose($resource);
       $file_type = $_FILES['userfile']['type']; 
 $file_name = $_FILES['userfile']['name'];
 $file_ext = strtolower(substr($file_name,strrpos($file_name,".")));
 //File Size Check
 if ( $_FILES['userfile']['size'] > $MAX_SIZE) 
    $message = "The file size is over the limit.";
 //File Type/Extension Check

// else if (!in_array($file_type, $FILE_MIMES) // && !in_array($file_ext, $FILE_EXTS) ) // $message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";

 else if (in_array($file_ext, $FILE_EXTS_FORBIDEN))
    $message = "Sorry, $file_name($file_type) is not allowed to be uploaded.";
 else
    $message = do_upload($upload_dir, $upload_url);
 
 // print "<script>window.location.href='$url_this?message=$message'</script>";

} else if (!$_FILES['userfile']); else

       $message = "Invalid File Specified.";

/************************************************************

*     List Files
************************************************************/
/*
$handle=opendir($upload_dir);

$filelist = ""; while ($file = readdir($handle)) {

  if(!is_dir($file) && !is_link($file)) {
     $filelist .= "<a href='$upload_dir$file'>".$file."</a>";
     if ($DELETABLE)
       $filelist .= " <a href='?del=$upload_dir$file' title='delete'>x</a>";
     $filelist .= "  ".date("d-m H:i", filemtime($upload_dir.$file))
                  ."";
     $filelist .="
"; }

}

  • /

function do_upload($upload_dir, $upload_url) {

       $temp_name = $_FILES['userfile']['tmp_name'];
       $file_name = $_FILES['userfile']['name']; 
 $file_name = str_replace("\\","",$file_name);
 $file_name = str_replace("'","",$file_name);
//SAFETY CHECK:
$file_name= preg_replace('[^a-zA-Z0-9 .&<>~()_[\]\-]', , $file_name);
       $file_path = $upload_dir.$file_name;



       //File Name Check
 if ( $file_name =="") { 
       $message = "Invalid File Name Specified.";
       return $message;
 }
if ( is_file($file_path)) {
       $message = "This file is already uploaded. Please change the name of the file before uploading it.";
       return $message;
 }


 if($_REQUEST['emailto'] !=  && (!eregi("^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,4}$", $_REQUEST['emailto'])))
 {   $message = "Invalid E-mail.";
     return $message;
 }


       $missatge2= str_replace ( "\r", , $_REQUEST['missatge'] );
       $informacio =  $_REQUEST['emailto'] . "\n" . $_REQUEST['ips'] . "\n" . $_REQUEST['username'] . "\n" . $_REQUEST['key'] . "\n" . $_REQUEST['subjecte'] . "\n" . addslashes($missatge2);
       $fp = fopen ($file_path . '.info',"w");
       fwrite($fp, $informacio);  
       fclose($fp);


 $keyurl = "";
 if ($_REQUEST['key'] != "")
 {
       $keyurl = '?key=' . $_REQUEST['key'];
 }
 $result  =  move_uploaded_file($temp_name, $file_path);
 if (!chmod($file_path,0666))
 {      $message = "File change permission failed.";
 }
 else
  {
       // {$message = ($result)?"$file_name uploaded correctly. This is the URL:
https:/files.logicaspace.com/$file_name$keyurl" : "Somthing is wrong with uploading a file.";
       $file_nameURL = urlencode($file_name);
       if ($result)
die ("





$file_name uploaded correctly. This is the URL to share:

https://files.logicaspace.com/$file_nameURL$keyurl

Or inside Logica-CGI LAN:
https://10.48.31.211/$file_nameURL$keyurl
");
       else
               $message = "Somthing is wrong with uploading a file.";
   }


 return $message;

}

// he substituit $_REQUEST[message] per $message

?>

New Download Alert

  <?=$message?>
  
<form name="upload" id="upload" ENCTYPE="multipart/form-data" method="post">
File to share (Max 50GB) <input type="file" id="userfile" name="userfile">
Your name (it won't be made visible) <input type="text" name="username" size="37">
(Optional)
Download Password / Unic ID to distingt different users downloading the same file.


You can enter the client name or client codename (ex. ESOC123456).


You can leave it empty for no key authentification.
<input type="text" name="key" size="37" value="<?php echo rand(1000, 9999) . date("YmdGis"); ?>">
Your Email where the download alert will be sent <input type="text" name="emailto" size="37">
Ignore these IP's (space separated) <input type="text" name="ips" size="37" value="80.153.145.11 <?php echo $_SERVER['REMOTE_ADDR'] ." ". $_SERVER['HTTP_X_FORWARDED_FOR']; ?>">
Mail Subject <input type="text" name="subjecte" size="37">

Mail body (ex. Description of the file and client):

<textarea rows="12" name="missatge" cols="100"></textarea>

    <input type="submit" name="upload" value="Upload and configure" onclick="this.disabled=true;this.value='Sending, please wait...';this.form.submit();">
  </form>
  

</syntaxhighlight>